Azure AD Group Management
Azure AD groups can help to organize users by teams, areas, categories, etc, Azure AD can define membership based on rules, for example by job title or at what department a user works. Using AAD groups lets resource owners or AAD owner assign a set of permissions to all the members of a group, which is faster and easier than provide the rights one by one.
In Azure AD there are 2 group types:
Security groups: This type of group is analogous to Security Groups in Windows Active Directory, can be created in Azure AD, synced from Windows AD with Azure AD Connect, their membership can be static or assigned, their main purpose is to manage member and computer access to shared resources for a group of users.
Microsoft 365 groups: These groups provide collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more apps. It is also possible to give people outside your organization access to this type of groups.
Create new group
You can create groups by using the Azure portal, PowerShell or Azure CLI, users that have admin roles like Global Administrator, Directory Writers, Groups Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator, etc. can create and/or manage groups, with purpose to explain some additional fields in group creation process lets do this example using the Azure portal.
The first step is going to your tenant, you have 3 options, create from the overview screen or from the “Groups” option.
Any of the options you choose will take you to the same form, where you have to provide the group type and name, their membership type and optionally a group description, group owner and assign users as members.
If you choose the “Microsoft 365” group type the only difference is that you have to fill the additional field “Group email address” where you assign an email to your group.
In both group type options you have to provide a membership type, there are three options according to Microsoft and its description of each one:
Assigned: Let’s you add specific users to be members of this group and to have unique permissions.
Dynamic user: Let’s you use dynamic membership rules to automatically add and remove members. If a member’s attributes change, the system looks at your dynamic group rules for the directory to see if the member meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
Dynamic device: Let’s you use dynamic group rules to automatically add and remove devices. If a device’s attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).
In this example I’m going to use the security group type and Assigned membership type, I’m algo going to leave empty the Owners and Members fields to fill them later and I’m going to click the “Create” button.
A notification is displayed showing the operation status.
We also have another options to create AAD groups, for example:
Create group with PowerShell:
Create group with Azure CLI:
You can find these example scritps a my DevOps github repo.
Adding Owners and members to group
Now that the group its created, the next step is assign owners and members to the group, to do that we need to go back to the overview of our tenant and click on the “Groups” option.
We’ll be redirected to the groups management section where are also listed all our groups, click on any group to be redirected to the group details and options.
To add Owners do click on “Owners” Option.
Then you’ll see the owners listed and the option to add new owners, click on that option.
A modal opens where you have to do 3 steps, first search for user(s) you want to add as owners, then click on them to select as owners and finally click on “Select” button to complete the process.
Then you’ll see a notification showing the operation status and your new owners listed.
To add members, go to “Members” option and then click on “Add members”.
Here also you have to the same 3 steps, first search for user(s) you want to add as owners, then click on them to select as owners and finally click on “Select” button to complete the process.
Then you’ll see a notification showing the operation status and your new members listed.
Other group management options
Some of these options in groups or in single groups require a premium license. The first options are in the Groups pane.
General: Here we have options to allow users make requests to join groups, restrict normal users access to groups features or create new security or Microsoft 365 groups.
Expiration: This section is for set an expiration date to Microsoft 365 groups as well as renewal notifications for admin groups.
Naming Policy: This section as its name says, it’s for establishing naming conventions for Microsoft 365 groups, for example, you could create a naming policy to communicate the function of a group, membership, geographic region, etc.
The following options are inside each group:
Properties: Here you can see the group properties as well as update its name and description.
Members: Here you can add or remove single or multiple group members.
Owners: Here you can add or remove group owners.
Administrative Units: Administrative Units are created in the tenant pane, you can assign them to the group using this option.
Group Memberships: The concept of this option is to add groups as members of other groups (Nested groups), you can see an example by clicking this link.
Applications: In this section you’ll see listed the Enterprise applications assigned to the group, in this link you can learn more about Enterprise applications.
Licenses: Here you can assign your licensed products to the group.
Azure Role Assignments: In this section you can see all the roles assigned to the group for Azure resources filtered by each subscription you have, for example, you can assign the Contributor role to Developers group in your Azure Dev subscription, and you’ll see this role listed in this section.
With this information I’m pretty sure you can start managing your own groups.
I hope you liked my post 😊 if you have any comments or suggestions we can get in touch through LinkedIn.
thanks for reading me.
